Client Portal Privacy Policy
Last Updated: September 2, 2022
This Privacy Policy describes how SimplePractice LLC (“SimplePractice,” “we,” “us,” or “our”) collects, uses and discloses the Personal Information (as defined below)
of our Customer’s patients and clients (“Clients,” “you,” or “your”) when using the client web portal and client mobile application
(including telehealth services) controlled by their healthcare or wellness
Provider (our “Customer” or your “Provider”) (collectively, the “Client Portal” or the “Services”).
Certain SimplePractice Services may use a different privacy policy to
provide notice to you about how we use and disclose the Personal Information
we collect in the context of that Service. To the extent that we post or
reference a different privacy policy, that different privacy policy, not
this Privacy Policy, will apply to your Personal Information collected in
the context of that Service.
1. Note to SimplePractice Customers and their Clients
Our treatment of Client Personal Information is governed by our
agreements with our Customers, including our SimplePractice Terms of Service
and HIPAA Business Associate Agreement, as applicable (our “Agreement”). If
any provision in our Agreement with our Customers conflicts with any
provision in this Privacy Policy, the provision in the Agreement will
control to the extent of such conflict.
We will also direct Clients to their Providers, the controller of their
personal information. Please see the “California Privacy Statement”
and “Additional State Privacy Laws” sections of this privacy policy for more details.
If you are a Client of one of our Customers, we may retain your Personal
Information on behalf of that Customer. If you have questions about how we
process your Personal Information, we encourage you to reach out to the
appropriate Customer or visit our Help Center.
2. Personal Information We Collect
“Personal Information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household, such as your name, email address, IP address, telephone number, and broader categories of information such as your professional, educational or health information, commercial information and internet activity.
In the course of you using the Client Portal, we may collect Personal Information directly from you or indirectly from you, such as through your Provider.
The categories of Personal Information we collect about you depends upon your interactions with us and how you utilize the Client Portal. For example, we may collect:
-
Identifiers and contact information, such as your name, email address, mailing address, phone numbers, and
IP addresses. We collect this information directly from you or indirectly
from your Provider when your Provider creates or edits your Client
Profile, for allowing your Provider to communicate with you and provide
their services to you, to enable you to access the Client Portal, and to
enable your electronic signature on certain documents or agreements.
-
Billing information, such as your insurance information, invoices, name, email address,
mailing address, phone number, Provider information, date of services, and
services received. We store this information on behalf of you and your
Provider so that your Provider may process your payments to them, and so
that you may view and manage your billing information in the Client
Portal.
-
Audio, electronic and visual information, such as your photographs or images, your voice and other similar
information. We process this information to enable you and your Provider
to use our Telehealth service, if applicable, and to allow you to create
file attachments in the Client Portal.
-
Internet, device, and other electronic network activity
information, such as your browsing history, search history, device and connectivity
data, and your navigation and interactions within and with our Services.
We collect this information in an anonymized format, in which your
identity is not verifiable. We collect this information through a
third-party source or through our cookies and other tracking technologies
in order to conduct business analytics or to improve our business
functionality and the Services. The appropriate contracts are in place
with third-party sources to ensure they do not use this information beyond
the purpose of providing services to us. Please review the “Data Collection Technologies and Cookies” section below to learn more about our use of cookies and data
collection technologies.
-
Profile information and inferences, such as information about your preferences and characteristics. We
collect profile information by drawing inferences from the above
categories of Personal Information, in an anonymized format, in order to
understand Client patterns and preferences, and to enable us to tailor and
update our Services and communications.
-
Appointment Information, such as date, time and location of your appointments with your
Provider. We store this information on behalf of your Provider so that you
and your Provider can view and manage your appointments.
-
Sensitive personal information, collected on behalf of your Provider in the course of providing their
services to you, such as your race or ethnic origin, sexual orientation,
credit or debit card number, health status, driver’s license or subsequent
form of identification, or secure messages exchanged between you and your
Provider. We may store this information on behalf of your Provider to
ensure they can manage your Client Profile, provide their services and/or
care to you, verify your identity and insurance information, and to allow
them to process payments from you. We also store this information so that
you may manage your payments to your Provider and so that you may securely
communicate with your Provider in the Client Portal. This information is not accessed or used outside of what is described
in this privacy policy and is in accordance with HIPAA privacy law.
Please contact your Provider for questions regarding how they handle
your sensitive personal information.
-
Information we receive from authentication services you connect to our
Services. Some parts of our Services may allow you to login through a third-party
social network or authentication service such as Google. These services
will authenticate your identity and provide you the option to share
certain personal information with us, which may include your name, email
address, or other information. The data we receive is dependent on that
third party’s policies and your privacy settings on that third-party site.
We will treat Personal Information collected from third party sources in
accordance with this Privacy Policy, but we are not responsible for the
accuracy of information provided by third parties or for their policies or
practices. If you choose to connect a Google or Gmail account to our
Services, we will ask you to grant us application permissions to access
your Gmail account. These permissions are necessary to sustain the
functionality of our Services. We will store your authentication token and
account email address. This data will be securely stored to be used by us
to provide you with the Services (including, but not limited to, allowing
you to access the Client Portal). This data will not be voluntarily shared
with any third parties, but we may provide this information to legal
authorities upon their lawful request. You may choose to disconnect your
Gmail account at any time. We do not use data obtained from Clients (from
their Google accounts) for advertising purposes. We may need access to the
user data to resolve a support issue, provide advice on service usage or
provide any other help requested by the Client, or as such access may be
necessary for a security investigation or to comply with applicable laws.
We use this information to operate, maintain, and provide to you the
features and functionality of the Services. We may also send you
service-related emails or messages (e.g. Client support, changes, or
updates to features of the Services, or technical and security
notices).
3. How We Use Personal Information
In addition to the purposes for collection described above, we also collect
your Personal Information for the following general purposes:
- To maintain your Client Profile, to send you requested product and Client Portal information, and to send you product and Client Portal updates;
- To respond to your support or help center requests and address your questions and concerns;
- To process billing information and transactions within the Client Portal;
- To authenticate your identity and allow you to view, fill out, and sign documents in the Client Portal;
- To administer, measure, and improve our Services and Client Portal experience, including measuring the effectiveness and functionality of the Services, aggregating statistical information on site usage, diagnosing problems with our servers, and analyzing traffic;
- To detect security incidents, to protect against malicious, deceptive, fraudulent or illegal activity, and to comply with our policies and procedures;
- To comply with our legal, regulatory and risk management obligations, including establishing, exercising and/or defending legal claims, responding to law enforcement requests and as required by applicable law, court order, or governmental regulations, and to comply with applicable state and federal laws, including, but not limited to laws related to protecting Client and public health and safety;
-
Any other purpose with your consent.
4. How We Share and Disclose Your Personal Information
We may share your Personal Information in the following
circumstances:
-
To your Providers/our Customers: We share your Personal Information with your Providers/our Customers in
order to provide you with the Services and facilitate our agreements with
our Customers.
-
To Service Providers: We may share your Personal Information with companies that provide
services to us, such as for hosting, marketing and communication services,
analytics services, and payment processing (“Service Providers”). Our
policy is to authorize these Service Providers to use your Personal
Information only as necessary to provide services for us, and we require
that the appropriate contracts are in place to ensure they do not use or
disclose your Personal Information for any other purpose.
-
To parties outside of SimplePractice:
- We may share your Personal Information with our parent and affiliate companies in order for them to provide analytics across the entire corporate family and for other internal business purposes.
- From time to time, we may be required to provide Personal Information to a third party in order to comply with a subpoena, court order, government investigation, or similar legal process.
- We may also share your Personal Information to third parties, such as law enforcement agencies, when we, in good faith, believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
-
To any other third party for whom you have given your consent for us
to share your Personal Information.
-
In a corporate transaction: If SimplePractice is involved in a corporate transaction, such as a
bankruptcy, merger, acquisition, reorganization, or sale of all or a
portion of its assets, we may share or transfer your Personal Information
as part of any such transaction.
5. Access and Choice
Client Portal Contents: If your Personal Information changes, it can be modified by contacting
your Provider and requesting that they update your Personal Information.
Only certain information, such as your billing information, can be modified
by you in the Client Portal.
Push Notification Preferences: We may send you emails or banners in the Client Portal relative to your
relationship with your Provider, with us, and your transactions. This may
include, but is not limited to alerts, push notifications, appointment
reminders and updates, and updates to our products, services, and policies.
You can edit your push notification preferences in the “Notification
Settings” section of the Client Portal.
Client Profile Deletion: We provide our customers a software service for which they can manage their Client’s information. We control a limited amount of your data. If you wish to have your information within the Client Portal deleted, please contact your Provider. Please note that this may affect your Provider’s ability to provide you with their services and that this data may be subject to certain data privacy laws and regulations. If you wish to delete other information that SimplePractice collects about you as outlined in this privacy policy please refer to our “California Privacy Statement” and “Additional State Privacy Laws” sections in this privacy policy.
Please understand that we will not be able to provide you Services if you
are not a Client of a SimplePractice Customer.
6. Data Collection Technologies and Cookies
As is true of many digital properties, we and our third-party partners may
automatically collect certain information from or in connection with your
device when visiting or interacting with our Services, such as:
-
Log Data, including internet protocol (IP) address, operating system, device type
and version, browser type and version, browser id, the URL entered and the
referring page/campaign, date/time of visit, other user agent string data,
the time spent on our Services, and any errors that may occur during the
visit to our Services). Log data may overlap with the other categories of
data below.
-
Analytics Data, including the electronic path you take to our Services, through our
Services and when exiting our Services, UTM source, as well as your usage
and activity on our Services, such as the time zone, activity information
(first and last active date and time), usage history (emails opened, total
log-ins) as well as the pages and links you view, click or otherwise
interact with.
-
Location Data, such as general geographic location which can be inferred based on your
IP address.
We and our third-party Service Providers may use (i) cookies or small data
files that are sent to your browser from a web server and stored on your
computer’s hard drive and (ii) other, related technologies, such as web
beacons, pixels, SDKs, embedded scripts, and logging technologies (“cookies”) to automatically collect this information. We may use this information
to monitor and analyze how you use and interact with our Services.
We use information gathered from these technologies so that we can analyze
trends, administer the Services, and track users’ movements around the
Services.
If you would prefer not to accept cookies, most browsers will allow you to
change the setting of cookies by adjusting the settings on your browser to:
(i) notify you when you receive a cookie, which lets you choose whether or
not to accept it; (ii) disable existing cookies; or (iii) set your browser
to automatically reject cookies. Be aware that disabling cookies may
negatively affect the functionality of this and many other websites that you
visit. Disabling cookies may result in also disabling certain
functionalities and features of the Services.
Depending on your device and operating system, you may not be able to
delete or block all cookies. In addition, if you want to reject cookies
across all your browsers and devices, you will need to do so on each browser
on each device you actively use. You may also set your email options to
prevent the automatic downloading of images that may contain technologies
that would allow us to know whether you have accessed our email and
performed certain functions with it.
Do Not Track: Please note that the Services are not presently configured to
respond to DNT or “do not track” signals from web browsers or mobile
devices. As such, we do not recognize or respond to Do Not Track
requests.
7. Retention and Security
We will retain your Personal Information and sensitive Personal Information
for as long as your information resides in our Customer’s Clients and
Contacts list, as needed to provide you Services, and as necessary to comply
with our legal obligations, resolve disputes, and enforce our agreements.
We follow generally accepted standards to protect the Personal Information
submitted to us, both during transmission and once we receive it. For
example, when you enter sensitive information (such as when you submit your
intake forms), we encrypt the transmission of that information using secure
socket layer technology (SSL). However, no method of transmission over the
Internet, or method of electronic storage, is 100% secure. Therefore, we
cannot guarantee its absolute security.
8. California Privacy Statement
California residents have certain rights under the California Shine the
Light law, the California Consumer Privacy Act (“CCPA”), and the California
Privacy Rights Act (“CPRA”). The CPRA provided amendments and updates to the
CCPA.
CCPA and CPRA Disclosures: In general, within the preceding 12
months:
- We have collected the categories of Personal Information listed in Section 2 above.
- We have collected these categories of Personal Information directly from you, indirectly from your Provider or our Customer, and when you use the Client Portal and our Services, for the purposes described in Section 3 above.
- We have disclosed the following categories of Personal Information for business purposes: Billing and transactional information; internet, device, and network activity information; and profile information and inferences.
-
We have not sold your Personal Information.
CPRA and CCPA Privacy Rights: Certain California residents are entitled to
privacy rights under the CPRA and CCPA. Clients who wish to exercise these rights should send an email to privacy@simplepractice.com or fill out this form, and also direct their requests to the Customer who controls their Personal Information.
- The right to know. You have the right to request to know (i) the specific pieces of Personal Information we have about you; (ii) the categories of Personal Information we have collected about you in the last 12 months; (iii) the categories of sources from which that Personal Information was collected; (iv) the categories of your Personal Information that we sold or disclosed in the last 12 months; (v) the categories of third parties to whom your Personal Information was sold or disclosed in the last 12 months; and (vi) the purpose for collecting and selling your Personal Information.
- The right to deletion. You have the right to request that we delete the Personal Information that we, including our third-party Service Providers, have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
- The right to correct. You have the right to request correction of any inaccurate Personal Information we have about you.
- The right to opt-in and opt-out of sharing and selling of your Personal Information. We do not sell your Personal Information. We only share your Personal Information as outlined in this privacy policy to provide our Services to you.
- The right to limit use and disclosure of sensitive personal information. You have the right to restrict the ways in which we use and disclose your sensitive personal information. We do not use, share, or disclose your sensitive personal information in any way, except as outlined in this privacy policy for the purposes of providing our Services to you. We do not exchange this information for cross-contextual behavioral advertising nor for any commercial or monetary purposes.
-
The right to equal service. If you choose to exercise any of these
rights, we will not discriminate or retaliate against you in any way. If
you exercise certain rights, understand that you may be unable to use or
access certain features of our Services.
You may exercise your right to know and your right to deletion twice a year
free of charge. Currently, there is no limitation on your right to correct,
although this is forthcoming. The remainder of your privacy rights are not
subject to limitations. To exercise your privacy rights please contact us at privacy@simplepractice.com or fill out this form.
We will take steps to verify your identity before processing your privacy
rights requests. We will not fulfill your request unless you have provided
sufficient information for us to verify you are the individual about whom we
collected Personal Information. If you have a Client Profile and use our
Services, we will use our existing authentication practices to verify your
identity. If you do not have a Client Profile, we may request additional
information about you to verify your identity. We will only use the Personal
Information provided in the verification process to verify your identity or
authority to make a request and to track and document request responses,
unless you initially provided the information for another purpose.
You may use an authorized agent to submit a privacy rights request. When we
verify your agent’s request, we may verify both your and your agent’s
identity and request a signed document from you that authorizes your agent
to make the request on your behalf. To protect your Personal Information, we
reserve the right to deny a request from an agent that does not submit proof
that they have been authorized by you to act on their behalf.
Shine the Light: Our California Clients are also entitled to request and
obtain from SimplePractice once per calendar year information about any of
your Personal Information shared with third parties for their own direct
marketing purposes, including the categories of information and the names
and addresses of those businesses with which we have shared such
information. However, we do not share your information with third parties
for their own direct marketing purposes.
9. Additional State Privacy Laws
SimplePractice takes our Customers’ and Clients’ privacy and data
protection very seriously, and we work vigorously to ensure we remain
compliant with applicable federal and state privacy laws.
Under the Virginia Consumer Data Protection Act (VCDPA), effective January
1, 2023, Virginia residents have additional privacy rights. Clients who wish
to exercise these rights should send an email to privacy@simplepractice.com
and also direct their requests to the Customer who controls their Personal
Information.
- The right to know, access and confirm personal data. You have the right to know whether or not we are processing your personal data and to access such personal data.
- The right to deletion. You have the right to request that we delete the Personal Information that we, including our third-party service Providers, have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
- The right to correct. You have the right to request correction of any inaccurate Personal Information we have about you.
- The right to data portability. You have the right to easy and portable access to all pieces of Personal Information that we have collected or maintain about you.
- The right to opt-out of the processing of personal data for targeted advertising purposes. We do not use your Personal Information for targeted advertising. We may use your Personal Information, however, to provide updates to you about our product and Services and other necessary communications in the course of providing our services to you and your Provider.
- The right to opt-out of the sale of personal data. We do not sell your Personal Information. We only share your Personal Information as outlined in this privacy policy to provide our Services to you.
- The right to opt-out of profiling based upon personal data. You have the right to opt-out of any processing of personal data for the purposes of profiling for decisions that produce legal effects or similarly significant effects on you. We do not use your Personal Information for this purpose.
- The right to equal service. If you choose to exercise any of these rights, we will not discriminate or retaliate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of our Services.
Per the VCDPA, information provided in response to your requests
shall be provided by us, free of charge, up to twice annually per Client. We
will update this privacy policy periodically and as necessary to maintain
compliance with the evolving privacy landscape.
10. Additional Information
Information for Visitors and Users from Outside of the United
States: We are committed to complying with this Privacy Policy and the data
protection laws that apply to our collection and use of your Personal
Information. We are located in the United States, where the laws may be
different and, in some cases, less protective than the laws of other
countries. By providing us with your Personal Information and using the
Services, you acknowledge that your Personal Information will be transferred
to and processed in the United States and other countries where we and our
vendors operate.
Links to Other Sites: The Services may contain links to other sites that are not owned or
controlled by SimplePractice. This may include, but is not limited to, links
to add appointments to your calendar or links for directions to your
Provider’s office. Please be aware that we are not responsible for the
privacy practices of such other sites. We encourage you to be aware when you
leave our site and to read the privacy statements of each and every website
that collects Personal Information. This Privacy Policy applies only to
information collected or stored in or by our Services.
Children’s Privacy: Our Services are not directed towards, nor do we knowingly collect any
Personal Information from children under 13, unless they are a Client of our
Customer. Please contact your Provider for information on how they collect
and handle information from a Client who is under the age of 13.
Changes to This Policy: We may update this Privacy Policy to reflect changes to our information
practices. If we make any material changes, we will notify you by email
(sent to the email address specified in your Client Profile) or by means of
a notice in our applications or on our websites prior to or upon the change
becoming effective. We encourage you to review this page periodically for
the latest information on our privacy practices.
11. Contact Us
If you have any questions in connection with this Privacy Policy or other
privacy-related matters, please visit our Help Center.
Rev. Sept. 2022/ © 2022 SimplePractice, LLC All rights reserved.